7.2.1. Dissector¶

dissector Ipv4Dissector¶

Name :	'ipv4'
Extend :	haka.helper.PacketDissector

IP version 4 packet dissector.

ipv4.register_proto(proto, dissector)¶

Parameters:	proto (number) – IP protocol number. dissector (Dissector) – Dissector to use.

Register the dissector to associate with the given IP protocol number.

ipv4.create(pkt) → ip¶

Parameters:	pkt (dissector) – Lower level packet.
Returns:	ip (Ipv4Dissector) – Created packet.

Create a new IPv4 packet on top of a lower level packet (raw for instance).

<Ipv4Dissector>.hdr_len¶

<Ipv4Dissector>.version¶

<Ipv4Dissector>.tos¶

<Ipv4Dissector>.len¶

<Ipv4Dissector>.id¶

<Ipv4Dissector>.frag_offset¶

<Ipv4Dissector>.ttl¶

<Ipv4Dissector>.proto¶

<Ipv4Dissector>.checksum¶

Type:	number

IPv4 fields.

<Ipv4Dissector>.src¶

<Ipv4Dissector>.dst¶

Type:	addr

Source and destination.

<Ipv4Dissector>.flags.rb¶

<Ipv4Dissector>.flags.df¶

<Ipv4Dissector>.flags.mf¶

Type:	boolean

IPv4 flags.

<Ipv4Dissector.flags>.all¶

Type:	number

All flags raw value.

<Ipv4Dissector>.payload¶

Type:	vbuffer

Payload of the packet.

<Ipv4Dissector>:verify_checksum() → correct¶

Returns:	correct (boolean) – true if the checksum is correct.

Verify if the checksum is correct.

<Ipv4Dissector>:compute_checksum()¶

Recompute the checksum and set the resulting value in the packet.

<Ipv4Dissector>:drop()¶

Drop the packet.

<Ipv4Dissector>:send()¶

Send the packet.

<Ipv4Dissector>:inject()¶

Inject the packet.

7.2.2. Events¶

event ipv4.events.receive_packet(pkt)¶

Parameters:	pkt (Ipv4Dissector) – IPv4 packet.

Event that is triggered whenever a new packet is received.

event ipv4.events.send_packet(pkt)¶

Parameters:	pkt (Ipv4Dissector) – IPv4 packet.

Event that is triggered just before sending a packet on the network.

7.2.3. Utilities¶

object addr¶

Represent an ipv4 address.

ipv4.addr(str) → addr¶

ipv4.addr(addr) → addr

ipv4.addr(a, b, c, d) → addr

Parameters:	str (string) – IP address as a string representation (ie. '127.0.0.1') addr (number) – IP address as a number representation (ie. 0x0100007f) a,b,c,d – IP address as a byte representation
Returns:	addr (addr) – Created address.

Address constructors.

Examples:

ipv4.addr("127.0.0.1")
ipv4.addr(0x0100007f)
ipv4.addr(127, 0, 0, 1)

<addr>.packed¶

Type:	number

Packed representation of the IP address.

tostring(<addr>) → str¶

Returns:	str (string) – String representation of the address.

Convert an address to its string representation.

object network¶

Class used to represent an ipv4 network address.

ipv4.network(str) → net¶

ipv4.network(ipaddr, mask) → net

Parameters:	str (string) – String representation of the IP network (ie. '127.0.0.1/8'). ipaddr (addr) – IP network address. mask (number) – IP network mask.
Returns:	net (network) – New IP network.

Network constructors.

Examples:

ipv4.network("127.0.0.1/8")
ipv4.network(ipv4.addr(127, 0, 0, 1), 8)

const <network>.net¶

Type:	addr

Network address.

const <network>.mask¶

Type:	number

Network mask.

<network>:contains(addr) → bool¶

Parameters:	addr (addr) – An IP address
Returns:	bool (boolean) – true if IP address belong to the network, false otherwise.

Check if the IP address belong to the network.

tostring(<network>) → str¶

Returns:	str (string) – String representation of the network.

Convert a network to its string representation.

object inet_checksum¶

Helper to compute inet checksum on buffers pieces by pieces.

ipv4.checksum_partial() → new¶

Returns:	new (inet_checksum) – New inet checksum helper.

Create a new inet checksum helper.

ipv4.process(buffer)¶

ipv4.process(sub)

Parameters:	buffer (vbuffer ) – Buffer to process. sub (vbuffer_sub ) – Sub-buffer to process.

Process the buffer to compute its checksum value. This function can be called multiple times to compute it on data represented by multiple buffers.

ipv4.reduce() → checksum¶

Returns:	checksum (number) – Final checksum value.

Compute the final inet checksum value. This function must be called at the end after one or multiple calls to process().

object cnx_table¶

Object used to create a table of connections. The connection table uses source and destination IP along with some source and destination ports. Those ports can be extracted from TCP or UDP for instance.

ipv4.cnx_table() → table¶

Returns:	table (cnx_table) – New connection table

Create a new connection table.

<cnx_table>:create(srcip, dstip, srcport, dstport) → cnx¶

Parameters:	srcip (addr) – Source IP. dstip (addr) – Destination IP. srcport (number) – Source port. dstport (number) – Destination port.
Returns:	cnx (cnx) – New connection

Create a new entry in the connection table.

<cnx_table>:get(srcip, dstip, srcport, dstport) → cnx¶

Parameters:	srcip (addr) – Source IP. dstip (addr) – Destination IP. srcport (number) – Source port. dstport (number) – Destination port.
Returns:	cnx (cnx) – Corresponding connection

Get an entry in the connection table.

object cnx¶

Object that represent a connection.

<cnx>.data¶

Data that can be used to associate any Lua object with the connection.

<cnx>:close()¶

Close the connection. It will be removed from the associated table.

<cnx>:drop()¶

Mark the connection as dropped. The connection remains in the table until <cnx>.close() is called.

7.2.4. Example¶

------------------------------------
-- IP attacks
------------------------------------

haka.rule {
    hook = ipv4.events.receive_packet,
    eval = function (pkt)
        if pkt.src == pkt.dst and pkt.src ~= ipv4.addr("127.0.0.1") then
            haka.alert{
                description = "Land attack detected",
                severity = 'high',
                confidence = 'medium',
                sources = { haka.alert.address(pkt.src) },
            }
            pkt:drop()
        end
    end
}